A supply chain attack targeting Aqua Security’s Trivy vulnerability scanner has expanded, with researchers from Socket identifying at least 141 malicious artifacts across more than 66 packages following the initial compromise.
The campaign began with unauthorized access to Trivy’s GitHub Actions environment, where attackers used stolen credentials to publish malicious code into trusted components used in CI/CD pipelines.
The attack involved replacing legitimate package contents with credential-stealing malware, which is designed to extract sensitive data such as API keys, cloud credentials, SSH keys, and authentication tokens from affected environments.
The malicious code executes within automated workflows, allowing it to collect secrets from CI/CD runners and transmit them to attacker-controlled infrastructure.
Researchers also observed that the campaign exhibits self-propagating behavior, where stolen publishing tokens are reused to compromise additional packages and distribute malicious updates, enabling the attack to spread across development ecosystems as compromised pipelines unknowingly publish infected code to downstream users.
Damon Small, Board of Directors, Xcape, Inc.:
“This incident is a masterclass in why “trust but verify” is dead in CI/CD. By force-pushing malicious commits to existing version tags (e.g., @v0.34.2), the threat actor – identified as TeamPCP – turned a trusted security tool into a weaponized delivery vehicle without changing a single line of a user’s workflow file. This highlights the fatal flaw of relying on mutable Git tags rather than immutable commit SHAs.
“The risk here is a “wormable” supply chain: the malware scrapes runner memory for GitHub PATs and cloud keys, which it then uses to compromise any other repositories that the infected pipeline has write access to. For defenders, the priority isn’t just updating Trivy; it is a scorched-earth credential rotation.
“If your pipelines ran a Trivy scan between March 19 and March 23, 2026, you must assume every secret accessible to that runner -AWS keys, NPM tokens, and SSH keys – has been exfiltrated. Moving forward, security teams must enforce the pinning of all third-party GitHub Actions to full 40-character commit hashes to prevent this “silent” tag-swapping from recurring.
“It takes a special kind of irony for a vulnerability scanner to become the primary infection vector for your entire cloud environment.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“Incidents like the Trivy compromise show how modern attacks move through trusted development pipelines by combining weaknesses across code, infrastructure, and identity.
“The real risk isn’t just how attackers get in. It’s what that access allows them to reach. Once CI/CD systems are involved, attackers can inject malicious code into trusted artifacts, then use automation to access sensitive credentials and spread downstream.
“This is why organizations need to focus on attack pathways, not just individual issues. Understanding how exposures connect, and prioritizing the ones that lead to critical systems, is what ultimately limits blast radius.”
Denis Calderone, CTO, Suzu Labs:
“This is the inherited trust problem we’ve been tracking all month, but this one takes it to a completely different level. The other incidents, VMware, Cisco, Stryker’s MDM, n8n, were all management tools that carry deep access in your environment. Trivy is an example where the actual tool you run to find vulnerabilities is the vulnerability. The scanner was harvesting the most sensitive credentials before the legitimate scan even executed.
“This is the same pattern we saw with SolarWinds back in 2020, where the security monitoring platform became the attack vector. When the tool you trust to establish trust is the one that’s been turned against you, you’ve got an inherited trust problem at the deepest level there is.
“The technical execution here is worth paying attention to. Stolen credentials from a misconfigured GitHub Actions workflow gave the attackers access to push malicious code into 75 of 76 version tags. The payload ran inside CI/CD pipelines, silently collecting GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, database passwords, and crypto wallets from every pipeline that pulled the compromised version. CI/CD runners hold the keys to everything, so compromising the pipeline is effectively compromising every environment that pipeline touches.
“What really has our attention going forward though is the CanisterWorm component. This is the first documented malware to use blockchain for command and control. Instead of traditional C2 servers that can be seized or sinkholed, the attackers are using Smart Contracts as a decentralized dead-drop. There’s no single server to take down, no domain to block. The operator can rotate payloads on-chain without ever touching an infected host. This is a fundamental shift in how attackers maintain persistence and control, and if this model proves out, it’s going to change how we think about disrupting campaigns.
“Traditional takedown playbooks don’t work when the command infrastructure is immutable by design.”
Well, this illustrates how dangerous supply chain attacks are. Consider this a teachable moment for defenders in order to make sure their organizations are not affected by the next one.
Like this:
Like Loading...
Related
This entry was posted on March 24, 2026 at 3:56 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Trivy supply chain attack expands across CI/CD pipelines with 141 malicious packages
A supply chain attack targeting Aqua Security’s Trivy vulnerability scanner has expanded, with researchers from Socket identifying at least 141 malicious artifacts across more than 66 packages following the initial compromise.
The campaign began with unauthorized access to Trivy’s GitHub Actions environment, where attackers used stolen credentials to publish malicious code into trusted components used in CI/CD pipelines.
The attack involved replacing legitimate package contents with credential-stealing malware, which is designed to extract sensitive data such as API keys, cloud credentials, SSH keys, and authentication tokens from affected environments.
The malicious code executes within automated workflows, allowing it to collect secrets from CI/CD runners and transmit them to attacker-controlled infrastructure.
Researchers also observed that the campaign exhibits self-propagating behavior, where stolen publishing tokens are reused to compromise additional packages and distribute malicious updates, enabling the attack to spread across development ecosystems as compromised pipelines unknowingly publish infected code to downstream users.
Damon Small, Board of Directors, Xcape, Inc.:
“This incident is a masterclass in why “trust but verify” is dead in CI/CD. By force-pushing malicious commits to existing version tags (e.g., @v0.34.2), the threat actor – identified as TeamPCP – turned a trusted security tool into a weaponized delivery vehicle without changing a single line of a user’s workflow file. This highlights the fatal flaw of relying on mutable Git tags rather than immutable commit SHAs.
“The risk here is a “wormable” supply chain: the malware scrapes runner memory for GitHub PATs and cloud keys, which it then uses to compromise any other repositories that the infected pipeline has write access to. For defenders, the priority isn’t just updating Trivy; it is a scorched-earth credential rotation.
“If your pipelines ran a Trivy scan between March 19 and March 23, 2026, you must assume every secret accessible to that runner -AWS keys, NPM tokens, and SSH keys – has been exfiltrated. Moving forward, security teams must enforce the pinning of all third-party GitHub Actions to full 40-character commit hashes to prevent this “silent” tag-swapping from recurring.
“It takes a special kind of irony for a vulnerability scanner to become the primary infection vector for your entire cloud environment.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“Incidents like the Trivy compromise show how modern attacks move through trusted development pipelines by combining weaknesses across code, infrastructure, and identity.
“The real risk isn’t just how attackers get in. It’s what that access allows them to reach. Once CI/CD systems are involved, attackers can inject malicious code into trusted artifacts, then use automation to access sensitive credentials and spread downstream.
“This is why organizations need to focus on attack pathways, not just individual issues. Understanding how exposures connect, and prioritizing the ones that lead to critical systems, is what ultimately limits blast radius.”
Denis Calderone, CTO, Suzu Labs:
“This is the inherited trust problem we’ve been tracking all month, but this one takes it to a completely different level. The other incidents, VMware, Cisco, Stryker’s MDM, n8n, were all management tools that carry deep access in your environment. Trivy is an example where the actual tool you run to find vulnerabilities is the vulnerability. The scanner was harvesting the most sensitive credentials before the legitimate scan even executed.
“This is the same pattern we saw with SolarWinds back in 2020, where the security monitoring platform became the attack vector. When the tool you trust to establish trust is the one that’s been turned against you, you’ve got an inherited trust problem at the deepest level there is.
“The technical execution here is worth paying attention to. Stolen credentials from a misconfigured GitHub Actions workflow gave the attackers access to push malicious code into 75 of 76 version tags. The payload ran inside CI/CD pipelines, silently collecting GitHub tokens, cloud credentials, SSH keys, Kubernetes tokens, database passwords, and crypto wallets from every pipeline that pulled the compromised version. CI/CD runners hold the keys to everything, so compromising the pipeline is effectively compromising every environment that pipeline touches.
“What really has our attention going forward though is the CanisterWorm component. This is the first documented malware to use blockchain for command and control. Instead of traditional C2 servers that can be seized or sinkholed, the attackers are using Smart Contracts as a decentralized dead-drop. There’s no single server to take down, no domain to block. The operator can rotate payloads on-chain without ever touching an infected host. This is a fundamental shift in how attackers maintain persistence and control, and if this model proves out, it’s going to change how we think about disrupting campaigns.
“Traditional takedown playbooks don’t work when the command infrastructure is immutable by design.”
Well, this illustrates how dangerous supply chain attacks are. Consider this a teachable moment for defenders in order to make sure their organizations are not affected by the next one.
Share this:
Like this:
Related
This entry was posted on March 24, 2026 at 3:56 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.